At KubeCon London, two of Kyverno’s project maintainers—Vishal Choudhary and Frank Jogeleit—delivered a highly anticipated and well-attended talk titled “Unlocking the Future of Kubernetes Policy as Code with Kyverno.” The session explored Kyverno’s powerful current capabilities and offered a first look at significant changes coming to the project that are set to reshape how policy as code is implemented in Kubernetes and beyond.

If you attended the equally popular session, “A Practical Guide to Kubernetes Policy as Code,” which highlighted the current landscape of Kubernetes-native policy enforcement, this follow-up dives deeper into Kyverno’s unique approach and evolution.

 

What is Kyverno?

As Frank Jogeleit explains, Kyverno is a CNCF incubating project explicitly designed for Kubernetes in a Kubernetes-native way. The name “Kyverno” is derived from the Greek word for “to govern,” and that’s exactly what it aims to do—govern Kubernetes resources with policies that are easy to write, manage, and enforce.

Unlike other policy engines that require learning new languages like Rego, Kyverno relies exclusively on YAML, making it accessible and intuitive for Kubernetes users. It’s deeply integrated with Kubernetes logic, making it one of the most native policy engines available today.

 

Kyverno’s Current Capabilities 

Frank outlined a comprehensive suite of capabilities that make Kyverno a versatile tool for managing Kubernetes clusters at scale:

• Admission Controller & Scanner: Validates new resources at creation and continuously scan existing ones.
• Auditing & Reporting: Helps you track compliance and visibility with built-in reports.
• Ease of Adoption: Fully Kubernetes-native, no external tooling or DSL required.
• Extensive Policy Library: A large collection of reusable, community-driven policy templates.
• Active Community Support: Over 3,000 users actively engaging via Slack.
• External Payload Support: Validates any JSON format payload, not just Kubernetes objects.

 

Types of Policies Currently Supported

• Validation: Enforces required labels, resource limits, security settings, and more. Supports background scanning and multiple expression engines including JMESPath and CEL.
• Mutation: Automatically adjusts resources to meet requirements before validation, using JSON and strategic merge patches.
• Generation: Creates and maintains resources like default network policies for new namespaces—useful in multi-tenant environments.
• Cleanup: Periodically removes unused or noncompliant resources based on TTL or defined rules.
• Image Verification: Ensures only trusted container images are used, supporting Notary, Cosign, SBOMs, and GitHub Artifact Attestations.

 

Why Kyverno is Changing

As Vishal Choudhary described, Kubernetes now offers native admission policy support using CEL, which overlaps with some of Kyverno’s features. While Kyverno has always aimed for flexibility, the proliferation of similar logic types—patterns, assertion trees, and CEL—created a sprawling API that’s harder to maintain and learn.

The upcoming changes aim to:

• Simplify Kyverno’s API
• Increase performance
• Align with Kubernetes’ standardized admission policies
• Retain support for both Kubernetes and non-Kubernetes JSON resources
• Make Kyverno easier for new users and more scalable for advanced use cases

 

Introducing New Policy Types

To simplify its user experience while preserving advanced capabilities, Kyverno is introducing five new policy types. These are designed to be more expressive and align with Kubernetes APIs, while offering features that go beyond what the Kubernetes API server supports.

1. Validating Policy

Built on the Kubernetes ValidatingAdmissionPolicy (VAP) API, with Kyverno-specific extensions like:

• External API calls (http.get)
• In-cluster resource access
• Custom audit annotations
• Background scanning
• JSON payload support via a toggleable evaluation mode

 

2. Image Validating Policy

Also based on VAP, but tailored for container image verification. Features include:

• Native support for trusted authorities (Notary, Cosign)
• Image attestation verification (SBOMs, vuln scans)
• Works on pods, controllers, and custom resources
• Can be applied to any JSON payload with image references

As Vishal noted, “We created five different policy types so previously we only had one cluster policy, but we decided to split them… creating a much simpler API.” He emphasized that these changes are about extending functionality without losing any of Kyverno’s core behavior.

Availability

The Validating Policy and Image Validating Policy are available now in the Kyverno 1.14 release. The remaining three—Mutating Policy, Generating Policy, and Cleanup Policy—are on the roadmap and will roll out in upcoming releases based on community input.

Try It Yourself

Frank and Vishal concluded their session with a live demonstration of the new policy types in action and shared a QR code linking to a public GitHub repository filled with examples and a policy playground. The best part? You don’t need to install Kyverno to try them out—just access the playground and start experimenting.

Ready to Dive Deeper into Policy as Code?

If you’re interested in modernizing how you secure and manage Kubernetes with policy as code—or you’re curious about the next evolution of Kyverno—our team at Nirmata is here to help. We’re core maintainers of Kyverno as well as the originators and work every day to support the Kubernetes ecosystem with tools that are native, powerful, and easy to adopt.

Get in touch to learn more about Kyverno, to get help implementing policies, or to contribute to the future of policy as code in Kubernetes. See more on Kyverno from Nirmata here.